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[*] BUYER: The House Committee on Veterans' Affairs dated May 25, 2006 will 
come to order. 

If somebody will get the door for us, please. 

By way of housekeeping, we only have the secretary for about 45 minutes, and 
there's a hearing on the Senate side that starts at 10 o'clock. He will be taking Mr. 
McClain with him. Others of his staff will remain and step forward at the table when 
the secretary leaves. 

I will give an opening, and then I'm going to yield to Mr. Strickland for an opening, 
and then we're going to immediately go to questions. 

What I would propose is that, because we only have him for 45 minutes, I do a 
unanimous consent that each member may have three minutes to do questions so 
we try to give quick latitude to all the members. Any objections? All right. Hearing no 
objections, so ordered. 

The purpose of this hearing is to learn more about the recent loss of personal data 
belonging to as many as 26.5 million veterans and some spouses experienced by the 
Department of Veterans Affairs. 

We have a meltdown in V.A.'s information management. According to V.A. this 
meltdown has resulted in a catastrophic failure to safeguard sensitive personal data. 

Last Monday, the Department of Veterans Affairs released a statement 
acknowledging that a data analyst took home electronic data which he was 
authorized to access at work but not authorized to bring home. 
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The burglary of his home and the theft of his computer resulted in the loss of that 
data. This serious incident was not communicated to this committee until Monday, 
May 22nd, 19 days after the theft and one hour prior to its release to the public. 

We must answer some pressing questions, which include how did this breach of 
information management happen, what will we do to protect veterans' identity theft, 
what policies and regulations are in place at the department that should have 
stopped the mismanagement of information, and what is the V.A. doing to eliminate 
the vulnerabilities associated with the security of sensitive information, and many 
others from my colleagues. 

And let me be clear, we are here today to inform America's veterans and their 
families what the government is doing to protect them against fraud and ease their 
efforts to protect themselves. 

Our veterans and their families must be assured of how you, Mr. Secretary, will 
safeguard the information they place in your hands. Whether or not any identity 
fraud results from the theft of this computer carried home by this V.A. employee, 
what is clear is damage has been done. 

Speaking as one of those millions of veterans such as even yourself, Mr. Secretary, 
the prospect of fraud, of theft, of the awful prospect of repairing damaged credit is 
bad enough. For that stress to be caused by our own federal government is deeply 
disturbing, and I know everyone here agrees it is intolerable. 

There will, unfortunately, be a certain percentage of the 26.5 million veterans that 
will have to deal with identity theft in the normal course of life. And now some of 
them will blame the V.A., so that's going to be a challenge for you. 

Beyond the very personal dimension, this incident has implications regarding the 
larger picture of control over V.A. information technology. Over the last seven years, 
we've seen compelling evidence of information security problems at the V.A., and I 
refer to committee hearings in which I've chaired. 

On May 11th of 2000, the GAO stated that computer security is, quote, "critical to 
the V.A.'s ability to safeguard its assets, maintain the confidentiality of sensitive 
information, and ensure the reliability of its financial data. The V.A. I.G. 
acknowledged the department-wide weakness in information security systems that 
continue to make V.A.'s program and financial data vulnerable to error and fraud," 
end quote. 

At a September 21, 2000 hearing GAO stated, quote, "Serious computer security 
problems persisted throughout the department and VHA because V.A. had not yet 
fully implemented an integrated security management program and VHA had not 
effectively managed computer security at its medical facilities," end quote. 

At the April 4, 2001 hearing the I.G. continued, quote, "to identify significant 
information security vulnerabilities that placed the department's data systems at risk 
of unauthorized access and disclosure." The I.G. testified that, quote, "Many of these 
vulnerabilities exist in violation of V.A. policy," end quote. 
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At a March 13, 2002 hearing the I.G. repeated findings of the vulnerabilities of V.A.'s 
information technology. 

Then, almost four years ago today, on May 20th and May 21st, WISH-TV 8 I-team 
led by Karen Hensel in Indianapolis, Indiana went to Goodwill and bought three 
computer hard drives. 

Two of those hard drives, she learned, were never cleansed, and they contained 
hospital patient records from the Roudebush V.A. Hospital in Indianapolis -- the 
names of veterans, their Social Security numbers, home address, phone numbers, 
pages and pages of government credit card numbers, information regarding 
veterans' arrest records, whether they were receiving drug and alcohol counseling, 
whether they were disabled. 

One of the veterans was blind, disabled and living alone and was a combat veteran 
and discussed his case. One of the patients was HIV -- 120 of those computers were 
sold at a surplus sale without ever having been cleansed. So we went through all the 
hearings on that -- oh, the controls are going to be in place, we assure the 
committee. 

At the September 26, 2002 hearing the I.G.'s testimony stated that, quote, 
"Penetration testing completed during the past two years verified that the V.A.'s 
information system could be exploited to gain access to sensitive veteran health and 
benefit information. 

At a March 17, 2004 hearing the V.A. testified that, quote, "There was a glide path in 
place for meeting the April 2004 deadline for the beginning of the VETSNET 
deployment." VETSNET has been in development for a decade. I've been told that 
VETSNET will not deploy in 2006 and maybe not even now till 2007. 

As chairman of the Subcommittee on Oversight and Investigations and now chairman 
of this committee, I've led a bipartisan effort to centralize V.A.'s I.T. infrastructure 
and control over its I.T. systems. 

Last November this House voted unanimously, 408-0, to centralize I.T. management 
of the department's chief information officer. Both the department and the Senate 
have sadly resisted such centralization of V.A.'s I.T. architecture. Even the 
independent budget of the VSOs opposed centralization of V.A.'s I.T. infrastructure in 
their 2007 budget. 

The V.A. inspector general, in his November 2005 report entitled Major Management 
Challenges of Fiscal Year 2005, stated that, quote, "V.A. has not been able to 
effectively address the significant information security vulnerabilities and reverse the 
impact of its historically decentralized management approach." 

The report went on to say that, quote, "While the V.A. has accelerated efforts to 
improve federal information security, more needs to be done to put security 
improvements in place that effectively eliminate the risk and vulnerabilities of 
unauthorized access and misuse of sensitive information," end quote. 
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Look where we are here today, Mr. Secretary. This committee, this Congress -- 
we've asked to empower the CIO to put his arms around this one, and that was 
resisted. I have even asked about letting the V.A. be on parity with other 
departments with regard to political appointments. That's been resisted. 

And now what we have is we've got some management questions. This isn't just an 
issue of a low-level employee. There's very serious mismanagement of information 
technology that's at stake. 

So with that context, I believe there's a damaged trust, angered veterans and 
families, and there are systematic flaws. And, Mr. Secretary, this is a defining 
moment of your leadership. 

With that, I yield now to Mr. Strickland. 

STRICKLAND: Mr. Chairman, I would yield to my colleague from California, Mr. 
Filner, and I would ask that my statement be entered into the record, please. 

BUYER: Thank you, Mr. Strickland. 

All members who may have opening statements, your statements will be submitted 
for the record. 

Mr. Filner, you're now recognized. 

FILNER: Thank you, Mr. Chairman. And thank you for this hearing. Thank you for 
your opening remarks. I associate myself completely with them. You laid out the 
complete record. I think that we don't have to -- anybody has to repeat. So I 
appreciate the strong attitude toward this. 

We are now presented, as the chairman said, with a catastrophic problem. The V.A. 
simply did not protect essential personal information entrusted to its care. Now and 
for the next few decades, maybe, a potential sword of Damocles hangs over the 
financial well- being of over 26 million veterans unless this data is recovered. 

In the last five years, as the chairman outlined, a host of agencies -- the V.A. 
inspector general, the GAO, prominent I.T. consultants -- have reported that V.A. 
has many problems with information security. 

We found multiple failures under the Federal Information Security Management Act, 
the reviews of that act, and we note that three or four information security 
recommendations to the V.A. by the Government Accountability Office in March 2002 
have yet to be implemented. Outside contractors note related problems. And what 
does V.A. react to, apparently? With indifference. 

Internal V.A. recommendations to strengthen the control of information meet with 
resistance. Even Secretary Principi's directive to centralize information technology at 
the V.A. in 2002 was met with indifference. It was not implemented. 

In the last few years, this committee and its subcommittees have chronicled 
problems related to unclear lines of I.T. management authority throughout the V.A., 
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to information security officer training in tine VBA, to sensitive information releases 
on unscrubbed computer hard drives at the V.A. medical centers -- a host of very 
expensive major computer projects failures and delays. 

We rarely see accountability in either the I.T. or information security world at the 
Veterans Administration. The individual responsible for the release of the unscrubbed 
hard drives was soon promoted. Again, V.A. seems to react with indifference to its 
problems in this area. 

As Chairman Buyer pointed out, the problem before us today is not unexpected. It 
has sprung from a culture of indifference, a culture of indifference at the Veterans 
Administration, and grown strong among the leaders that have allowed it to grow. 

The most important agent in information control and security in an organization is its 
leadership. When they are not proactive, Mr. Secretary, bad things happen. And a 
very thing's happened that we're looking at today. 

Too much time transpired before Congress was notified. Sure, you needed to hope 
that the thing was found, but you could have briefed the chairman and others in this 
body about what happened. 

Too much time transpired before veterans were notified. And when you did notify 
them, you left it to them to go contact their credit bureau or their banks. You didn't 
say we will take care of it, we will be behind you, we will pay for the problems that 
you might have. 

V.A.'s message was trust us, we will handle it. Well, we should now question if, even 
after this wake-up call, you are up to the task. 

Certainly, this administration has proclaimed its need to collect information on our 
citizens. On May 11th President Bush defended those actions by noting that the 
privacy of ordinary Americans is fiercely protected in all of our activities. 

Well, I think this debacle before us today clearly demonstrates the folly of the 
president's attempt to place us at ease regarding the administration's ability to 
fiercely protect our privacy. This does not meet my definition of fierce protection. I 
only see indifference. 

Mr. Chairman, I appreciate again this opportunity to look into this incredible disaster. 

BUYER: Thank you, Mr. Filner. 

And I associate myself with Mr. Filner's comments. 

Testifying now will be Secretary Nicholson. Secretary Nicholson is accompanied by 
the Honorable Allen Pittman, the assistant secretary of human resources and 
administration; the Honorable Robert J. Henke, assistant secretary for management; 
retired Army Major General Bob Howard, the acting assistant secretary for 
information and technology; Pedro Cadenas, Junior, associate deputy assistant 
secretary for cyber and information security and the acting deputy assistant 
secretary for information technology; Dennis M. Duffy, acting assistant secretary for 



Case 1:06-cv-01038-JR Document 18-10 Filed 01/09/2007 Page 7 of 19 



policy, planning and preparedness; Michael McLendon, deputy assistant secretary for 
policy; and the Honorable Tim McClain, the department's general counsel. 

All individuals of whom I have just identified, if you would please stand, and I'm 
going to swear all of you in. Please raise your right hand. Do solemnly swear the 
testimony you're about to give, including answers to questions of the committee 
members, is the truth, the whole truth, so help you God? Please take your seats. 

Mr. Secretary, you're now recognized. 

NICHOLSON: Mr. Chairman, members of the committee, thank you for giving me the 
opportunity to appear before you today to explain a devastating occurrence that has 
happened in my agency that's come to my attention recently and it was announced 
to all on Monday of this week. 

I am the person ultimately responsible to our veterans, and therefore the 
responsibility for this situation rests on me. A V.A. employee who was a data analyst 
took home electronic data files from the V.A. He was not authorized to do so, nor 
were they encrypted. His house was burglarized and the data were stolen. This 
happened on May 3rd. 

If that wasn't bad enough, I wasn't notified about this event until May 16th. As a 
veteran myself, I have to tell you that I'm outraged. I'm frankly mad as hell. 

But I must carry on and lead the efforts to get to the bottom of this and take the 
corrective actions to see that it doesn't happen again. My compass for this is the 
veterans. How do we best take care of them now and mitigate the effects of this on 
them? 

These stolen data contained identifying information, including names and dates of 
birth, for up to 26.5 million veterans and some of their spouses. 

In addition, that information, plus Social Security numbers, was available for some 
19.6 million of those veterans. Also included, possibly, were some numerical 
disability ratings and the diagnostic codes which identify the disabilities being 
compensated. 

It is important to note that the data did not include any of the V.A.'s electronic 
health records. Neither did it contain explicit financial information, although knowing 
of a disability rating could enable one to compute what the implied terms of 
compensation payments are. 

On May 3rd, the employee's home was broken into in what appears to local law 
enforcement to have been a routine breaking and entering -- that is, a random 
burglary, not a targeted one -- and the V.A. data were stolen. 

The employee has been placed on administrative leave pending the outcome of an 
investigation with which he is cooperating. 
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As I've said, I am a veteran too, and I am outraged at tine loss of our veterans' 
personal data. And I'm outraged at the fact that an employee would put us all at risk 
by taking it home in violation of V.A. policies with which he was very familiar. 

I'm also very outraged that it was not until May 16th that I was notified of this 
incident. And I'm upset about the timing of the department's overall response once 
the burglary became known. I will not and have not tolerated inaction and poor 
judgment when it comes to protecting our veterans. 

Appropriate law enforcement agencies, including local police, the FBI and the V.A. 
inspector general's office, have launched full-scale investigations into this matter. 
Authorities believe it is unlikely the perpetrators targeted the items stolen because of 
any knowledge of the data contents. 

It is possible that the thieves remain unaware of the information they possess or 
how to make use of it. Because of that, we have attempted to describe the 
equipment stolen, the location from which it was stolen and other information in 
quite general terms. 

We have not and do not want to provide information to the thieves that might be 
more helpful as to the nature of what they have. We still hope that this was a 
common theft, and that no use will be made of the V.A. data. 

From the moment I was informed, the V.A. began taking all possible steps to protect 
and inform our veterans. However, there were those in the law enforcement 
community who wanted me to wait longer before announcing this theft so as to 
pursue leads and keep the burglars in the dark. 

I chose to inform our veterans nevertheless, but limiting the details of where and 
when initially so as not to tip our hand to the robbers. Whether it is one veteran or 
the numbers we are talking about here today, the V.A. needed to act in a manner 
that maintained a balance between protecting our veterans and informing the 
crooks. 

Another very disturbing aspect of this circumstance is that although it happened on 
May 3rd, and the V.A. employee informed his bosses of this fact on that day, I was 
not made aware, as I said, until May 16th. 

Equally disturbing is that federal law enforcement and investigating agencies were 
not informed immediately either. It wasn't until May 10th that the V.A. I.G. became 
aware of it. I cannot explain these lapses in judgment on the part of my people. It 
makes me really angry and disappointed. And after the I.G. finishes his investigation 
as to exactly what went on, I plan to take decisive actions. 

V.A. now also has begun a relentless examination of our policies and procedures to 
find out how we can prevent something like this from happening again. We will stay 
focused on the problems until they're fixed. 

I've formed a special task force under the deputy secretary to examine 
comprehensively all of our information security programs and policies to bring about 
a ringing change in the way we do business. 
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Ever since 1999, tine V.A. inas gotten low marks from the I.G. on its information and 
cyber security programs. Last year, the GAO flunked the V.A. on its cyber security 
system. This has to change. 

This situation is exacerbated by the fact that the assistant secretary for I.T., who has 
been at the V.A. since the beginning of '04, has just recently resigned. He came to 
the V.A. from the private sector, Dell Computers, and has now returned to the 
private sector. We do have and think we have recruited a good replacement, but he's 
not in place at this time. 

Ironically, we, the V.A., continue to get very exemplary evaluations on electronic 
medical record systems. And during Hurricane Katrina, the system and our people 
performed heroically to evacuate hundreds of patients and save many lives. 

We're also off to a strong start on our I.T. reformation to centralize all of our I.T. 
applications except for development. What this suggests is that we can get this 
information and cyber security mission done right also. 

I'm also pleased that just yesterday the president announced his intention to 
nominate a brilliant recently retired Navy admiral to head up our office of policy and 
planning, where this incident arose from. He should be on board very soon. 

Additionally, we are taking direct and immediate action to address and alleviate 
veterans' concerns and to regain their confidence. I have taken the following actions 
so far: Directed all V.A. employees complete the V.A. cyber security awareness 
training course and complete the separate general employee privacy awareness 
course by June 30, 2006. 

I've also directed a memo be issued requiring all V.A. employees to sign annually an 
employee statement of awareness that includes their awareness of the privacy act, 
unauthorized disclosing or using directly or indirectly information obtained as a result 
of employment in the V.A. which is of a confidential nature or which represents a 
matter of trust or other information so obtained of such a character that its 
disclosure or its use would be contrary to the best interests of the V.A. or the 
veterans being served, and certify their awareness on the loss of, damage to or 
unauthorized use of government property, through carelessness or negligence, or 
through maliciousness or intent. 

In addition, the department will immediately be conducting an inventory and review 
of all current positions requiring access to sensitive V.A. data. The inventory will 
determine whether positions, in fact, require access to data. 

We will then be requiring all employees requiring access to sensitive V.A. data to 
undergo an updated national agency check and inquiries and/or a minimum 
background investigation, depending on the level of access required by the 
responsibilities associated with their position, because it's come to my attention also 
that we know virtually nothing about these people that have access to these 
enormous amounts of data -- for example, this individual having the entire veteran's 
file, one person, who has not, to our knowledge, had a background check for 32 
years. 
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I've directed tine Office of Information & Tecinnoiogy to pubiisin by June 30 of tinis 
year, as a V.A. directive, tine revisions to tine security guidelines for single-user 
remote access developed by the Office of Cyber and Information Security. This 
document will set the standards for access, use and information security, including 
physical security, incident reporting and responsibilities. 

V.A. is working with Congress, the news media, and veterans' service organizations 
and other government agencies to help ensure that those veterans and their families 
are aware of the situation and of the steps they may take to protect themselves from 
misuse of their personal information. 

V.A. is coordinating with other agencies to send individual notifications to all 19.6 
million individuals whose Social Security numbers were stolen, instructing them to be 
both vigilant in order to detect any signs of possible identity theft and how to protect 
themselves. 

In the meantime, veterans can also go to www.firstqov.qov for more information on 
this matter. This is a federal government Web site capable of handling large amounts 
of Web traffic. 

Additionally, the V.A. has set up a manned call center that veterans may use to get 
information about this situation and learn more about consumer identity protections. 
That toll free number is 1- 800-333-4633. 

The call center operates from 8 a.m. to 9 p.m., Monday to Saturday, and it will as 
long as it's needed. The call center handles up to 20,000 calls an hour. Through the 
end of the day yesterday, concerned veterans had made a total of 105,753 calls to 
this number. 

I want to acknowledge the significant efforts of numerous government agencies in 
assisting the V.A. in preparing for this announcement on May 22nd. Agencies at all 
levels of the federal government pitched in to ensure that our veterans had 
information on actions they could take to protect their credit. Hundreds of people 
worked around the clock last weekend writing materials to inform the veterans and 
setting up call centers and a Web site to ensure maximum dissemination of the 
information. And I want to personally thank each of these agencies and the people 
therein for their selfless efforts on behalf of our veterans. 

The three nationwide credit bureaus have established special procedures to handle 
inquiries and requests for fraud alerts from our veterans. 

Experian and TransUnion have placed a front-end message on their existing toll-free 
fraud lines, bypassing the usual phone tree, with instructions for placing a fraud 
alert. Equifax has set up a new toll-free number for veterans to place fraud alerts. 

The new procedures became operational on Tuesday. The bureaus report a spike in 
phone calls, 171 percent of normal, and in requests for free credit reports through 
the annual free credit report web site. The Federal Trade Commission also 
experienced high call volumes about the incident earlier this week. 
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On Monday, the Office of Comptroller of the Currency notified its examiners of the 
theft. On Tuesday, the Office of Comptroller posted an advisory on an internal 
network available to its banks and instructed the examiners to direct their banks to 
the advisory. It explains what happened and asks the banks to exercise extra 
diligence in processing veterans' payments. 

The advisory also reminds the banks of their legal obligations to verify the identities 
of persons seeking to open new accounts and to safeguard customer information 
against unauthorized access or use and attaches a summary of relevant laws and 
regulations. 

I briefed the attorney general and the chairman of the Federal Trade Commission, 
co-chairs of the president's identity task force, shortly after I became aware of this 
occurrence, and they have been very cooperative as well. 

Task force members have already taken actions to protect the affected veterans, 
including working with the credit bureaus to help ensure that veterans receive the 
free credit report that they're entitled to under the law. 

Additionally, the task force met on Monday to coordinate the comprehensive federal 
response, to recommend further ways to protect affected veterans, and increase 
safeguards to prevent the recurrence of these incidents. 

On Monday, following the announcement of this incident, I also issued a 
memorandum to all V.A. employees. The purpose was to remind them of the public 
trust we hold and to set forth the requirement that all employees complete their 
annual general privacy training and V.A. cyber security awareness training for the 
current year by June 30. 

Following that, all will be required to sign a statement of commitment and 
understanding which will acknowledge consequences for non-compliance. 

Information security is challenging business. And ultimately, it depends on the 
integrity and the work ethics of the work force. 

BUYER: Mr. Secretary, if you could summarize your conclusion, please. 

NICHOLSON: OK. I wanted to just, for purposes of one graphic -- and this is not the 
equipment that was involved in this, so I can use it. But this is a hard drive. This 
little piece of equipment that's smaller than my wallet has 60 gigabytes. 

The information that we're dealing with here, this entire roll of our veterans and the 
data on it, has five gigabytes. So you could put 12 times that on that piece of 
equipment that fits easily into one's pocket. 

All of us carry a cell phone, a BlackBerry or a personal digital assistant, and they 
contain vast amounts of data. I promise you that we will do everything in our power 
to structure a policy and a regulatory regime that make clear what is proper use of 
this data by our employees. We will train employees in these policies and enforce 
them. 
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We've already begun discussions regarding the immediate automatic encryption of all 
sensitive information. We will work with the president's task force very closely. 

V.A.'s mission to serve and honor our nation's veterans is one we take seriously. And 
the 235,000 dedicated V.A. employees are deeply saddened by any concern or 
anxiety this incident is causing to our veterans and their families. 

We honor the service of our veterans and what they've done for our country, and 
we're working hard to keep this most unfortunate circumstance from causing them 
undue pain and anxiety. Thank you. 

BUYER: Thank you, Mr. Secretary. 

To my colleagues, sitting to the secretary's right is Mr. George Opfer. He is the V.A.'s 
I.G. and it was on purpose that he was not sworn in. 

I will also ask unanimous consent that Thelma Drake and Jim Walsh be permitted to 
sit at the dais of the Veterans Affairs Committee. Hearing no objection, so ordered. 

I want to thank Chairman Walsh for being present today. He also wanted to hold his 
own hearing on this and given the time constraints was not able to. And it's 
impressive that he's taken equal concern on this. 

What we have here, Mr. Secretary, is this committee working cooperatively with Mr. 
Walsh and Mr. Chet Edwards on I.T., and when we -- before you took this job, we've 
been working hard on I.T. And when we couldn't get the V.A. to listen, we worked 
cooperatively with not only setting forth our budget, taking out $400 million to get 
somebody's attention, but the appropriators also followed suit. 

I'm going to yield so other members can ask questions. The only thing I'd like for 
you to take away from this at this point, Mr. Secretary -- we intend to have follow-on 
hearings. 

I would ask this of you. Whether you at the V.A. would likely -- no, rephrase this. 
Would you consider offering a reward, say a $1 million reward, for information that 
would lead to the arrest or recovery of this device? I want you to think about that. I 
want you to work with the Department of Justice on whether or not that could be 
helpful to us. 

That $1 million is nothing compared to what we're about to expend. You've already 
sent us a reprogramming notice for $25 million. So I don't know where this could 
end. But I want you to consider that. 

At this point, let me yield to Mr. Bilirakis for two minutes. 

BILIRAKIS: Thanks, Mr. Chairman. 

Mr. Secretary, welcome, I guess. Mr. Secretary, in Vietnam you were a true, most 
courageous hero, a true hero. You received many awards. I doubt that the difficulties 
you found there are as bad as they are with the V.A. 
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I'd like to get to -- in two minutes' time, how can we? But, you know, foundationally, 
this is a problem in the V.A. It's foundational. Others will ask questions regarding 
this particular instance, and I'm as concerned about it as anybody else is. 

But let me just go into this -- Mr. Chairman, I'd like to ask unanimous consent that a 
two-page document, a written statement by a Dr. Leon A. Kappelman, be made a 
part of the record. 

And I'd like to quote from that, Mr. Secretary, very quickly here. "V.A. has tens of 
thousands of dedicated, hard-working employees committed to the important 
mission of serving our nation's veterans and their families. But there is a dark side to 
V.A. Its bureaucratic culture is unprincipled, profligate and intransigent. I've seen 
them ignore Congress, GAO, 0MB and one executive appointee after another. Oh, 
they know how to play the game to get the executive and Congress to open the 
budget floodgates, but V.A. doesn't really care how the dollars are actually spent as 
long as it doesn't interfere with business as usual at V.A. I have personally seen V.A. 
personnel sabotage and subvert hundreds of millions of dollars' worth of I.T. projects 
and read about billions more wasted and other failures. I've seen a total disregard 
for one cyber security effort after another. These are only the tip of the iceberg. And 
why do such things happen at V.A.? Largely because these systems and efforts 
would make the utilization of budget and personnel more transparent and thereby 
make accountability possible." Mr. Secretary, without going into the merits of these 
statements and that sort of thing -- the gentleman is not here for us to cross 
examine or whatever -- but I think we all agree that there is a problem there, a basic 
bureaucratic type of a problem -- at least I hope we all agree. 

And I ask you, if that is the case -- let's go on the premise that that is the case -- 
can't you do something about it? What is preventing you from -- I guess this task 
force reviewing the entire V.A. and basically saying hey, we're going to chop here, 
we're going to change here, we're going to do this, we're going to do that? 

Is it civil service? Does anything prevent you from doing these things? Are we sort of 
stuck with this kind of an image on the premise, now, again, that this is basically 
true? And I, frankly, think that it is, based on my experience over 24 years on this 
committee. 

NICHOLSON: No. I mean, I'm aware of the history of these problems that the 
chairman and the ranking member have recited. There are others. I'm trying to 
ascertain exactly how many people telecommute. 

Yesterday I was talking to an employee on this subject. It was a data expert who 
asked somebody to burn some records, some health records, for him onto a CD. 
that he needed for a project. It was done. They were mailed to him very timely, tidy. 

He wrote an e-mail back to him and he said that was great, that was prompt, I really 
appreciate it, where do you work here at the V.A. central office, maybe I'll run into 
you and we could have a cup of coffee. And the guy says I don't work here, I work in 
South Dakota. And so we have people telecommuting all over this country. 

And we need to get our arms around who these people are and what they're like. 
And they have enormous amounts of data, with enormous amounts of potential, not 
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necessarily because they may be up to mischief, but they may be like the current 
case where they're negligent, and this is an enormous troubling situation. 

But I will say to you that you cannot default to it. We have to fix it. And we can. 

BILIRAKIS: Do you have the authority? Do you have the power to fix it? 

NICHOLSON: Well, if we don't have it, we'll come and seek it. But you raise a good 
point, Mr. Chairman, because there are things that are called guidelines which some 
employees think do not apply because they say guideline, and they don't say 
directives. 

And that has a history to it as well, about how expeditious you can get out a 
guideline versus the time it takes to do a directive. I will say that the thing needs to 
be reviewed from tip to stern. 

We have queued up, I think, a very strong leader to come in and replace the person 
that has left as the chief information officer that I told you about, who I think did a 
very good job in forcing us into the transformation that we're now in on centralizing, 
you know, a portion of I.T. for business purposes and so forth. 

But in the information security area, there's a lot needed, but it can be done. These 
things can be fixed. 

BUYER: I thank the gentleman. 

I'm going to hit this and go right to Mr. Filner. What assurance can you, Mr. 
Secretary, give veterans that if, indeed, these records end up in the hands of identity 
thieves that veterans will not suffer financially or otherwise for these illegal attacks 
on their credit? 

NICHOLSON: Well, I think before I could give you that assurance I'm going to have 
to work with, you know, the Congress and see if it could be funded if they suffer, you 
know, a loss from this. 

We are working at a fever pitch with several proprietary companies that are in this 
business trying to help monitor consumers', people's, credit records for them, and 
we're meeting with them, reviewing their proposals. 

With the enormous amount of people involved, there's going to be a substantial cost 
to that. But that would give a lot of peace of mind to our veterans if they suffer a 
loss. The system of then compensating that, which I think is something that's owed 
to a veteran, we'll have to figure out. 

BUYER: Mr. Filner, you're recognized for two minutes. 

FILNER: Thank you, Mr. Chairman. 

What was the highest level official who didn't tell you for 13 days about this? 

NICHOLSON: That knew it during that time before -- the deputy secretary. 
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FILNER: Is he going to be fired? 

NICHOLSON: I'm reviewing all these issues, Mr. Filner, with a view toward what 
actions that I'm going to take, and I'm going to take -- but the I.G. is continuing to 
do some work on this, and I want to... 

FILNER: You know, your responses are incredibly bureaucratic. We can't get -- I 
don't see -- as I've told you, I don't see any passion. I don't see any, you know, view 
that -- you said I take responsibility. Well, the most dramatic thing you could do to 
take responsibility is resign. 

I mean, you didn't know there was a war going on, so we didn't have enough -- we 
couldn't take care of the veterans. Now, your own people don't tell you about the 
theft of 26 million veterans. And you go through all this bureaucratic rigamarole. You 
issue something to veterans, frequently asked questions, and you tell them if you 
have any problem, call your credit bureau, call your bank. Where is your 
responsibility in all this? You claim your responsibility but you tell your veterans go 
call a number, which -- you gave the wrong number, by the way, from your 
testimony. At least it's different than in your press release. 

So you're not taking any responsibility, not only financially, but, you know, for this 
management debacle. And you said time and again, from your press release, there's 
no medical data here. Is that what you have said? 

NICHOLSON: Yes, I said none of the medical records were... 

(CROSSTALK) 

FILNER: Yes, but you're being very bureaucratic. Isn't there a diagnostic code on 
here that indicates a specific injury, disability or medical condition that's part of the 
record here? 

NICHOLSON: For disability recipients, yes. 

FILNER: Well, why not state that clearly and bluntly? Every specific code relates to a 
specific health condition, and the disability codes are linked to specific individuals by 
their name and date of birth, and they reveal each disabled veteran's medical 
problems and conditions, correct? 

NICHOLSON: Yes, I think that would be correct, yes. 

FILNER: Yes, so we have medical knowledge floating around here on 26 million 
people. You should resign, Mr. Secretary. 

NICHOLSON: No, sir. I mean, it happens to be those that are getting disability, which 
is not a small number. It's about 2.6 million. 

FILNER: Three million people suffer from that, OK. 

BUYER: Thank you, Mr. Filner. 
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Mr. Stearns, you're recognized for two minutes. 

STEARNS: Yes, tinank you, IMr. Cinairman. 

I would say to Mr. Filner that Mr. Nicholson has indicated he takes full responsibility, 
so -- but, I mean, he said that personally, and I understand, with his record, how 
upset he is. 

But, Mr. Secretary, have you fired the employee who lost this information? And why 
not? 

NICHOLSON: He has been put on administrative leave pending further action. There 
are other people, to go back to Mr. Filner's comment, who are also in my sights as a 
result of this. STEARNS: Do you have internal controls? For example, why wasn't this 
information encrypted? In commercial corporations, they encrypt all this information 
as a standard operating procedure. How in the world could a person take this outside 
and not be encrypted? 

NICHOLSON: One, he wasn't authorized to take it home at all, but we have a 
standing regulation, standing policy, that anybody who is authorized to take sensitive 
information... 

STEARNS: So you had in place... 

NICHOLSON: ... outside of their work station... 

STEARNS: OK. 

NICHOLSON: ... has to have it encrypted. 

STEARNS: Do you have in place an internal security operation with a security chief, 
with internal audits, and occasionally an outside audit to confirm that this 
information is secure in the Veterans Administration? Just yes or no. 

NICHOLSON: Yes. 

STEARNS: What is this going to cost the Veterans Administration? Your first 
diagnosis of this -- what do you think this is going to cost and you're going to need 
from this committee? 

NICHOLSON: That's a tough call, because it's going to depend on what -- you know, 
at what level we decide -- you -- 

STEARNS: You're talking about $20 million, $5 million, $2 billion? 

NICHOLSON: No, we're talking... 

STEARNS: I mean, you must have a figure. 

NICHOLSON: ... I would say we're talking way north of $100 million. 
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STEARNS: So you might be talking about $500 million. 

NICHOLSON: It could be, yes, sir. 

STEARNS: OK. 

Thank you, Mr. Chairman. 

BUYER: Thank you. 

Mr. Gutierrez? 

GUTIERREZ: Yes, I yield to... 

NICHOLSON: Mr. Chairman, I'm sorry, but I'm going to have to -- I'm committed to 
go to the Senate. 

(UNKNOWN): (OFF-MIKE) 

GUTIERREZ: Thank you very much. I yield to Corinne Brown. 

C. BROWN: Thank you very much. 

Mr. Secretary, can you see me in my nice pretty red suit? This Monday all of us will 
be facing our veterans in the memorial celebration. And I don't know what we're 
supposed to say. They're going to paint us all with the same brush. 

What assurances will we be able to give them that the 26 million veterans' records -- 
how have we notified them? Have we assured them that we're going to work with 
them throughout the process? 

And I also want to know -- you know, some of our veterans will say this could have 
been an inside job. Have we done lie detector with everybody involved? 

NICHOLSON: Well, as I said, Congresswoman, I hate this, I'm sure, more than you 
do, and I'll take responsibility for it. It happened at my organization. And I think 
what we are doing is everything we can in the time that we've had so far to try to 
get the word out to the veterans. 

We're going to send them each a letter. We can't send 26 million letters 
instantaneously. We've found out we can't right now get 26 million envelopes. But 
we're under way getting them. And they will each get a letter. 

You could help inform us with the 1-800 number and the Web site, the media, 
because we want each of them to know what to do and to know that right now there 
is no reason to panic. There is no sign that any of this is being used at this time. 

C. BROWN: Mr. Secretary, I asked the question: What assurances do we have? 
Because this identity theft is a very possible thing. How do you know it wasn't an 
inside job? 
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NICHOLSON: Because the local law enforcement authorities that investigated the 
scene of the crime -- that was the first question I asked, by the way -- are convinced 
that it was a real break-in. 

BUYER: Ms. Brown? 

C. BROWN: Yes, sir. 

BUYER: I thank you. 

C. BROWN: Well, are we going to be able to give these questions in writing? 

BUYER: Yes. If anybody has questions in writing, they will be -- please, you can 
submit them, and we will get them to the secretary. 

The last questioner, Mr. Miller, recognized for two minutes. Then the secretary has to 
leave. 

Thank you, Ms. Brown. 

MILLER: Thank you very much, Mr. Chairman. 

I did hear the secretary in his opening remarks refer to the fact that there were 
codes that was in this information, so I do think he brought it to this committee's 
attention, contrary to my colleague's question. 

Two things. Number one, why would an employee take this information home? 

NICHOLSON: Congressman Miller, he took it home to work it. He was working on a 
project where he was trying to streamline a telephonic polling that we do of veterans 
periodically, and it's done randomly, that they're called and asked a series of 
questions, which is -- you know, it's benign. 

We're trying to find out what's going on in their life, how we're doing with them, how 
they're doing, and so forth, and he thought he had a way that he could make this 
more efficient in the selection of the veterans that we were calling. And he took this 
data home to work it. 

MILLER: And my second question -- and of course, we're all concerned about the 
financial implications to the veterans, but I also want to know, you know, the 
financial institutions, banks, credit unions, retailers, anybody that may get caught up 
in this -- who is going to be responsible for the costs that maybe incurred for private 
entities out there? 

NICHOLSON: Well, you know, I suppose the ultimate answer to that question is 
going to be up to you all that make the laws. I mean, we're... 

MILLER: Let me ask you... 

NICHOLSON: ... it happened because of us. 
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MILLER: Let me ask it tinis way. Winat would your recommendation be? 

NICHOLSON: Well, my recommendation would be that we be responsible for it. We 
caused it. 

MILLER: Thank you. That's what I wanted to hear. 

BUYER: All right. 

Mr. Secretary, thank you very much. You and Mr. McClain are excused. Thank you. 

I'd now like the other witnesses to please come to the table to replace the secretary 
and the general counsel. If staff could help them, what we may have to do is bring 
your chairs to the front. To all of my colleagues, while this administrative shuffle is 
occurring, the team that the secretary is leaving behind is the team that's 
responsible for cyber security and in charge of plans and policy. 

There is a hearing on the Senate side that starts at 10 o'clock, and that's the 
purpose of the secretary's and general counsel's exit. 

But what I wanted to ensure for all of my colleagues is that as the secretary leaves 
these are the individuals who are in the responsible positions. 

Ms. Berkley? 

BERKLEY: Thank you, Mr. Chairman. With all due respect, and I'm sure these are the 
men and women that do the nuts and bolts on this issue, but I was hoping to talk to 
the secretary and have an opportunity to question him. 

Will he be available to us? It seems that something this important -- one hour in 
front of this committee simply is not enough. Oh, I'm sorry, 45 minutes. 

BUYER: Forty-five minutes. We will entertain that. We're going to have follow-on 
hearings. If the secretary is necessary, we will bring the secretary back before the 
full committee. We can do briefings to members. I'll seek your counsel. 

BERKLEY: Yes, I would appreciate that. Thank you, Mr. Chairman. 

BUYER: Yes, ma'am. 

BERKLEY: And I'm going to the I.R. Committee markup. 

BUYER: All right. Thank you. 

All right, Mr. Michaud, you're now recognized. 

The committee will come to order, please. People can either take seats -- and please 
close the door. If someone can help out and make sure all the name plates can be 
read by the members, please. 
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